X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=lib%2Fpleroma%2Fweb%2Fmastodon_api%2Fcontrollers%2Fmedia_controller.ex;h=5918b288d49e1cceb6aa9ca39b06fba8b0676735;hb=fc842aa7c78fb0380708dfecf2e7a515f66ec815;hp=afa8b2ea29677bc9e059eee1bbc2425ba144a787;hpb=af9dfdce6b502d3a33db7a496879dda56719f56e;p=akkoma

diff --git a/lib/pleroma/web/mastodon_api/controllers/media_controller.ex b/lib/pleroma/web/mastodon_api/controllers/media_controller.ex
index afa8b2ea2..5918b288d 100644
--- a/lib/pleroma/web/mastodon_api/controllers/media_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/media_controller.ex
@@ -1,18 +1,18 @@
 # Pleroma: A lightweight social networking server
-# Copyright Â© 2017-2020 Pleroma Authors <https://pleroma.social/>
+# Copyright Â© 2017-2021 Pleroma Authors <https://pleroma.social/>
 # SPDX-License-Identifier: AGPL-3.0-only
 
 defmodule Pleroma.Web.MastodonAPI.MediaController do
   use Pleroma.Web, :controller
 
   alias Pleroma.Object
-  alias Pleroma.Plugs.OAuthScopesPlug
   alias Pleroma.User
   alias Pleroma.Web.ActivityPub.ActivityPub
+  alias Pleroma.Web.Plugs.OAuthScopesPlug
 
   action_fallback(Pleroma.Web.MastodonAPI.FallbackController)
+  plug(Majic.Plug, [pool: Pleroma.MajicPool] when action in [:create, :create2])
   plug(Pleroma.Web.ApiSpec.CastAndValidate)
-  plug(:put_view, Pleroma.Web.MastodonAPI.StatusView)
 
   plug(OAuthScopesPlug, %{scopes: ["read:media"]} when action == :show)
   plug(OAuthScopesPlug, %{scopes: ["write:media"]} when action != :show)
@@ -56,7 +56,7 @@ defmodule Pleroma.Web.MastodonAPI.MediaController do
   @doc "PUT /api/v1/media/:id"
   def update(%{assigns: %{user: user}, body_params: %{description: description}} = conn, %{id: id}) do
     with %Object{} = object <- Object.get_by_id(id),
-         true <- Object.authorize_mutation(object, user),
+         :ok <- Object.authorize_access(object, user),
          {:ok, %Object{data: data}} <- Object.update_data(object, %{"name" => description}) do
       attachment_data = Map.put(data, "id", object.id)
 
@@ -66,10 +66,10 @@ defmodule Pleroma.Web.MastodonAPI.MediaController do
 
   def update(conn, data), do: show(conn, data)
 
-  # TODO: clarify: is the access to non-owned objects granted intentionally?
   @doc "GET /api/v1/media/:id"
-  def show(conn, %{id: id}) do
-    with %Object{data: data, id: object_id} <- Object.get_by_id(id) do
+  def show(%{assigns: %{user: user}} = conn, %{id: id}) do
+    with %Object{data: data, id: object_id} = object <- Object.get_by_id(id),
+         :ok <- Object.authorize_access(object, user) do
       attachment_data = Map.put(data, "id", object_id)
 
       render(conn, "attachment.json", %{attachment: attachment_data})